Rob Knake is a senior fellow at the Council on Foreign Relations and a non-resident fellow at Harvard’s Belfer Center for Science and International Affairs. He is also an advisor to SecurityScorecard. Knake served from 2011 to 2015 as Director for Cybersecurity Policy at the National Security Council.
EXPERT PERSPECTIVE – Senator Mark Warner, the Chairman of the Senate Select Committee on Intelligence, told The Cipher Brief’s Cybersecurity Summit on Wednesday that more needs to be done to ensure that companies that find themselves the victims of a cyberattack disclose the information quickly in order to head off a potentially wider breach. I have a suggestion: don’t encourage; mandate.
We are well past the time where voluntary measures by private companies can be relied upon for the security of our nation. As well intentioned as most Americans are on an individual basis, corporate interests reasonably and justifiably run counter to publicly or privately shedding light on negative information about them.
In 2015, Congress passed the Cybersecurity Information Sharing Act to remove fears that sharing information on cyber threats and incidents could lead to liability. Thanks to that legislation, no company today should have any concern that sharing information on cyber threats with another company or a government agency will result in legal peril. And yet, despite these protections, there has been no flood of sharing pouring out of the private sector.
That’s because legal liability was never a barrier to disclosure. Now, many in the policy community are focused on how to provide “incentives” to share. The big one the lawyers want is some form of immunity – albeit vague – wherein sharing details on a cyber incident would somehow absolve companies of any responsibility. That might incentivize sharing but would disincentivize investment to prevent incidents.
Instead, the Securities & Exchange Commission (SEC) should take the initiative to tighten requirements for disclosures so that they are made routinely and without a slow and cumbersome legal review. If the SEC fails to act, Congress should mandate that they do so.
Disclosure requirements should be tightened with the intent of providing investors a useful understanding of the cyber risks public companies face and what companies are doing to manage that risk. A new report commissioned by the ratings firm SecurityScorecard (where I am an advisor) and the National Association of Corporate Directors, found that public company cyber disclosures are failing to do that.
The report found that most disclosures were both vague on risks and on protective measures. One of the better disclosures the report highlighted was that a company, operating in the technology industry must “… provide security tools such as firewalls and anti-virus software…” If there are any publicly traded companies that are not deploying firewalls and anti-virus, our state of cyber insecurity is worse than anyone imagined. This level of detail does not provide meaningful information to investors.
Meaningful disclosures would involve tightening requirements on what type of incidents must be disclosed, the investments made to prevent them, and the overall success of the security program.
First, it should require that any loss of intellectual property be disclosed. Today, companies go to great lengths to conclude that the loss of intellectual property to cyber thieves was not material in order to avoid disclosure. Thus, we are left with the seeming incongruity of being told that cyber theft of economic espionage represents the greatest wealth transfer in history, and yet there are very few publicly known instances where companies have divulged that IP theft actually had a material impact on their business.
Instead of allowing companies to decide what is and is not material, the SEC should create rules that would mandate disclosure of these losses and then let investors decide what is material and what isn’t, to the company’s future prospects.
Recognizing that even the best protected companies may fall victim to persistent adversaries, the SEC should also mandate annual reporting in a separate stand-alone report on a set of metrics on company cybersecurity programs.
Join The Cipher Brief March 23-25 for a three-day Virtual Cybersecurity Summit featuring leaders from the public and private sectors, including Microsoft President Brad Smith, FireEye CEO Kevin Mandia, and a host of other public and private sector experts. The Summit is being co-hosted by Cipher Brief CEO & Publisher Suzanne Kelly and former NSA Deputy Director Rick Ledgett. Attendance is free and registration is required. Sign up today.
Meaningful annual disclosures would track adversary activity across the kill chain, showing how many intrusions made it to each stage. A standard disclosure might note the number of blocked and successful spear phishing attempts, the number of times adversaries were able to exploit a vulnerability, successful and failed attempts to install malware, lateral movement, and ultimately, actions on objectives. It would include reporting on any ransomware incidents and of course, on any previously disclosed loss of intellectual property.
It would also report on investment in security by companies, both as a total dollar figure and as a percentage of IT spending. More than anything, these simple metrics would likely prevent chronic underinvestment by public companies in cybersecurity.
Taken together, these requirements would provide investors with useful data on cyber risk to companies and how well those risks are managed, incentivizing them to be better managed. It would also begin to give the nation as a whole, a better picture of how the individual choices of companies add up to our national risk in cyberspace.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief